"Assertion failure: op == JSOP_LEAVEBLOCKEXPR ? ..." with WAY_TOO_MUCH_GC

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Assigned: Igor Bukanov)

Tracking

(Blocks: 1 bug, {crash, testcase, verified1.8.1})

Trunk
crash, testcase, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] js1.7)

Attachments

(2 attachments, 1 obsolete attachment)

2.40 KB, patch
Igor Bukanov
: review+
mrbkap
: review+
Mike Schroepfer
: approval1.8.1+
Details | Diff | Splinter Review
2.38 KB, text/plain
Details
(Reporter)

Description

11 years ago
This is with "prep patch for plan A, v7b" from bug 346642.  You must have WAY_TOO_MUCH_GC enabled to see the bug.

js> for (let a in [1]) let (x) { for(let y in ((function(id2) { return id2; })( '' ))) { } }

Assertion failure: op == JSOP_LEAVEBLOCKEXPR ? fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp - 1 : fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp, at jsinterp.c:6031
(Assignee)

Updated

11 years ago
Assignee: general → igor.bukanov
I've diagnosed this, Igor is on it.  Should fix for 1.8.1.

/be
Flags: blocking1.8.1?
(Assignee)

Comment 2

11 years ago
Created attachment 241501 [details] [diff] [review]
Fix v1

The fix. It is the minimal version since it also moved parent checks, but it is easy to comment what is going on in this way.
Attachment #241501 - Flags: review?(brendan)
(Assignee)

Updated

11 years ago
Attachment #241501 - Flags: review?(mrbkap)
Comment on attachment 241501 [details] [diff] [review]
Fix v1

r=me, please land ASAP.  The branch will need a different patch without JS_PUSH_TEMP_ROOT_OBJECT.

/be
Attachment #241501 - Flags: review?(brendan) → review+

Updated

11 years ago
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
(Assignee)

Comment 4

11 years ago
Created attachment 241510 [details] [diff] [review]
Fix v2

A patch to commit that does not use the object form of tvr root to saty compatible with 1.8.1 branch.
Attachment #241501 - Attachment is obsolete: true
Attachment #241510 - Flags: review+
Attachment #241501 - Flags: review?(mrbkap)

Updated

11 years ago
Attachment #241510 - Flags: approval1.8.1?
(Assignee)

Updated

11 years ago
Attachment #241510 - Flags: review?(mrbkap)
(Assignee)

Comment 5

11 years ago
I committed the patch from comment 4 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.297; previous revision: 3.296
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

11 years ago
Attachment #241510 - Flags: review?(mrbkap) → review+

Comment 6

11 years ago
Created attachment 241537 [details]
js1_7/regress/regress-353079.js

Updated

11 years ago
Flags: in-testsuite+

Comment 7

11 years ago
Comment on attachment 241510 [details] [diff] [review]
Fix v2

Approved for RC3.
Attachment #241510 - Flags: approval1.8.1? → approval1.8.1+

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+
(Assignee)

Comment 8

11 years ago
I committed the patch from comment 4 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.68; previous revision: 3.181.2.67
done
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.1
Whiteboard: [sg:critical?] js1.7

Comment 9

11 years ago
verified fixed 1.8 20061011 dbg way too much gc builds on windows/macppc/linux
Keywords: fixed1.8.1 → verified1.8.1

Comment 10

11 years ago
verified fixed 1.9 20061121 windows/linux
Status: RESOLVED → VERIFIED
Group: security

Comment 11

10 years ago
/cvsroot/mozilla/js/tests/js1_7/regress/regress-353079.js,v  <--  regress-353079.js
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611
You need to log in before you can comment on or make changes to this bug.